Operational Rhythm at the Black Hat 2017 NOC

Jul 28, 2017 | by Matt Tharp

Operational rhythm is the term for the nebulous flow of information between parts of a team that makes it so effective. Who needs what, and when to be successful? In the Black Hat NOC, we have very little time to establish such a rhythm. However, a process for distributing critical information isn't more important than here. We need to provide access to hacker tools, but then insure they aren't used to attack the Black Hat network or other attendees.

A process to quickly understand 'normal' on such an unusual network is crucial. Such a process, shown below, is not ground breaking; however, we see a lot of organizations stumble trying to set up their rhythm. Establish your operating rhythm with simplicity.

RSA started by analyzing the protocols in the environment. We then generated reports to methodically review the content, whitelisting different aspects that are OK on the Black Hat network. Finally, we analyze the outliers. We will repeat this process all week, one day at a time.

Let's talk through each of these stages in a little more detail.

First, protocol analysis sounds like a Herculean effort. We used the methodologies espoused by our Incident Response (IR) team in their Hunting Guide. We begin by identifying the protocols of interest and then determine what meta is of interest in that protocol. Let's consider RDP traffic. Here is a small sampling of meta available for an encrypted protocol. We look at the amount of data in the session and what networks were involved; we look to see if they are tunneling over a strange port and we can see their SSL certificate information.

We turn that meta into a report to help us easily scroll through the sessions of interest so as to understand what looks normal on our network. These types of reports will run every day, being reviewed to better understand our environment (baseline) and then filtered to find the outlier. Each day, we get more efficient. For example, we see a session from the 'internal-conference-wifi' to an external destination. Policing people connecting to their cloud instances isn't part of our mandate, so we can filter out this type of traffic in the future. Then, we are only left with the outliers.

Reviewing the outliers consists of protocol analysis again. With full packets, it doesn't take long to sift through our outliers and protect your hacking experience. Happy Hacking.